On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote:
> But IPA is more complex and some operations will be performed directly
> against the specific server name, so you need to keep 2 sets of keys
> (one for the server name and one for the load balancer name), but that
> does not work right now.

One experiment that can be done is to remove all "per-server" HTTP
services for the IPA server, and instead add their name as aliases on
the common load-balancer name.

This would mean that all IPA servers would have just one key in their
HTTP keytab, but the KDC would release tickets readable by that key for
any name the clients may ask for.

It is a bit tricky, every time you build a replica you want to
load-balance you'll have to go back and remove the service and switch
keytabs, but it may be an option. Of course if you brick IPA then you
get to keep the pieces :-)


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to